Because of its very nature, ensuring compliance with export regulations for your company’s data can present some special challenges. Physical objects can be locked in a room. Data can reside in multiple places at once and can move from point A to point B in an instant.
OK, I’ll admit it, I don’t have any tricks for applying export controls to your technical data, but I do have some tips. All companies, large and small, must understand where controlled data resides in hard or soft copy and what type of access controls need to be put in place to protect it from an unauthorized export—deemed export or otherwise.
There’s technical data everywhere, so how do you properly identify it and how do you know if it’s controlled for export purposes? Are we talking about just the proprietary secret sauce or is there more to it? Unfortunately, it depends; specifically it depends on whether we are talking about the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR).
The EAR is more explicit in the definition of controlled technical data than the ITAR. The EAR defines controlled technical data as an export of technology that is required for the “development, production or use” of items on the Commerce Control List is controlled according to the provisions in each product category.
Be sure you actually read the ECCN classification that applies to your product. Don’t assume that the ECCN classification applies to all three aspects of technology—development, product and use. Sometimes it’s just development and production technology that’s controlled. And there are cases such as ECCN 9E515 that calls out specific information such as “failure analysis.”
The definition of Required in Part 772 of the EAR “refers to only that portion of ‘technology’ or ‘software’ which is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions.” This definition could help eliminate technical data that is more benign in nature from being controlled.
The ITAR, on the other hand, does not define required, so you must assume it’s any information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a defense article.
Work with IT to obtain an entire list of software applications, servers, cloud services, FTP sites, and other external facing tools (i.e. web conferencing services) to determine how controlled technical data could be stored or shared. Once you’ve done that, work with your development and production engineers, sales and marketing staff, and customer support personnel to find out what types of technical data is stored or shared on these systems.
In tip number 3, ask about all types of technical data. Just because marketing has decided to post information on your internet site doesn’t make it publicly available for export regulation purposes. And your customer support group shouldn’t be able to access controlled technical data such as a design diagram and send it to anyone who asks.
Use automated controls for segregating controlled technical data. Once you identify what needs to be controlled, it’s time to make sure not just anyone can access it. SharePoint, share drives, and other databases need to have permissions established at a user level.
Theoretical access to controlled technical data is still a violation for foreign nationals who would otherwise require an export license for access. So, even though a foreign national has no reason to access controlled data or has never accessed controlled data, it’s still considered a violation if they could have theoretically accessed it.
Larger exporters and certainly ITAR- and defense-related companies might want to consider rights/entitlement management software that will identify and block controlled technical data from being emailed or downloaded from a laptop to a USB memory device.
All controlled technical data should be marked as such to any extent possible. This means adding verbiage such as “EAR Controlled Technology” or “ITAR Restricted Technology” to each page of your document or picture files in both soft and hard copy. Any external storage such as CDs, DVDs or USB memory devices must be marked as well.
A more thorough statement might be warranted if your company shares controlled technical data with contract manufactures or other partners who require it. We’ve even seen companies mark documents with the ECCN classification to be extra diligent.
Include a Technology Control Plan (TCP) within your company's Export Management and Compliance Program (EMCP). Both the Bureau of Industry and Security (BIS) and the Directorate of Defense Trade Controls (DDTC) will expect you to have one in place, and it’s best if you partner with your IT and security departments to create it. The TCP describes physical and automated methods of restricting access to areas that contain controlled technical data.
Even if no foreign personnel access is planned, your company still needs formal, written internal controls to prevent unauthorized access by any foreign persons on company premises or by electronic means. This means a full description of physical building and site security (e.g. gates, badges, secured entry/exits, locked file cabinets, etc.) where controlled technical data exists, as well as the applications, servers and back up devices where the data is stored.
Don’t let your engineers (or anyone else for that matter) travel with controlled technical data unless there is an export license or other government authorization in place. Your company might have procedures for hand carrying tools of the trade (e.g. laptops, PDAs, smartphones, etc) through customs, but many companies forget that the data on these devices could be subject to export regulations.
If an employee will be travelling with controlled technical data, make sure the files and folders are encrypted and non-essential controlled technical data is removed altogether.
Include a technical data section in your annual company-wide export training. People need reminders that they should not be emailing or sending controlled technical data by FTP—even internally—unless there are secure methods being used and the recipient is authorized. This is also a great opportunity to remind your sales team that trade show materials and other marketing documents should be scrutinized for controlled technical data information prior to the show.
Include a section in your next export audit for ensuring controls are in place for accessing controlled technical data. Make sure system owners get approval from trade compliance for adding or changing access permissions for foreign nationals. Also check to see if any cloud computing, offshore IT, or contract manufacturing agreements have been put in place since the last audit and what controls have been put in place if necessary.
I hope these tips have triggered at least a few ideas to strengthen your export compliance program. Controlled technical data is an area every company needs to address, even if you are not a direct exporter. It can be a painful process to add access controls, but having a TCP and EMCP in place will help ensure that a company-wide effort is employed and you’re not alone in the effort!